Insider threats can take many forms, from the absent-minded employee failing to follow basic security protocols, to the malicious insider, intentionally seeking to harm your organization.
Some threats may stem from a simple mistake, others from a personal vendetta. Some insiders will work alone, others at the behest of a competitor or nation-state.
Whatever the method and the motives, the results can be devastating. The average cost of a single negligent insider incident exceeds $300k. That figures increases to over $755k for a criminal or malicious attack and up to $871k for one involving credential theft.
Unlike many other common attacks, insider attacks are rarely a smash-and-grab. The longer a threat goes undetected, the more damage it can do to your organization. The better you understand your people – their motivations, and their relationship with your data and networks – the earlier you can detect and contain potential threats.
Insider threats can be loosely split into two categories – negligent and malicious. Within those categories are a range of potential drivers.
As the mechanics of an attack can differ significantly depending on its motives, gaining a thorough understanding of these drivers can be the difference between a potential threat and a successful breach.
Financial gain is perhaps the most common driver for the malicious insider. Employees across all levels are aware that corporate data and sensitive information has value.
To an employee with access to your data, allowing it to fall into the wrong hands can seem like minimal risk for significant reward.
This is another threat that is likely higher risk in the current environment. The coronavirus pandemic has placed millions of people under financial pressure, with many furloughed or facing job insecurity. What once seemed an unimaginable decision, may now feel like a quick solution.
Negligence is the most common cause of insider threats, costing organizations an average of $4.58 million per year.
Such a threat usually results from poor security hygiene – a failure to properly log in/out of corporate systems, writing down or reusing passwords, using unauthorized devices or applications, and a failure to protect company data.
Negligent insiders are often repeat offenders who may skirt round security for greater speed, increased productivity or just convenience.
A distracted employee could fall into the “negligent” category. However, it is worth highlighting separately as this type of threat can be harder to spot.
Where negligent employees may raise red flags by regularly ignoring security best practices, the distracted insider may be a model employee until the moment they make a mistake.
The risk of distraction is potentially higher right now, with most employees working remotely, many for the first time, often interchanging between work and personal applications. Outside of the formal office environment and distracted by home life, they may have different work patterns, be more relaxed and inclined to click on malicious links or bypass formal security conventions.
Some malicious insiders have no interest in personal gain. Their sole driver is harming your organization.
The headlines are full of stories about the devastating impact of data breaches. For anyone wishing to damage an organization’s reputation or revenues, there is no better way in the digital world than by leaking sensitive customer data.
Insiders with this motivation will usually have a grievance against your business. They may have been looked over for a pay rise or promotion, or recently subject to disciplinary action.
Espionage and sabotage
Malicious insiders do not always work alone. In some cases, they may be passing information to a third-party such as a competitor or a nation-state.
Such cases tend to fall under espionage or sabotage. This could mean a competitor recruiting a plant in your organization to syphon out intellectual property, R&D, or customer information to gain an edge, or a nation-state looking for government secrets or classified information to destabilize another.
Cases like these are on the increase in recent years. Hackers and plants from Russia, China, and North Korea are regularly implicated in cases of corporate and state-sponsored insider attacks against Western organizations.
Defending from within
Just as they affect method, motives also dictate the appropriate response. An effective deterrent against negligence is unlikely to deter a committed and sophisticated insider intent on causing harm to your organization.
That said, the foundation for any defense is comprehensive controls. You must have total visibility of your networks – who is using them and what data they are accessing. These controls should be leveraged to limit sensitive information to only the most privileged users and to strictly limit the transfer of data from company systems.
With this broad base in place, you can now add further layers to counter specific threats. To protect against disgruntled employees, for example, additional protections could include filters on company communications to flag high-risk vocabulary, and specific controls applied to high-risk individuals, such as those who have been disciplined or are soon to be leaving the company.
Finally, any successful defense against insider threats should have your people at its heart.
You must create a strong security culture. This means all users must be aware of how their behavior can unintentionally put your organization at risk. All must know how to spot early signs of potential threats, whatever the cause. And all must be aware of the severe consequences of intentionally putting your organization in harm’s way.
Employees, whether careless or malicious, can pose a great risk to organizations, a Bitglass survey reveals. 61% of survey respondents reported at least one insider attack over the last 12 months (22% reported at least six separate attacks).
Insider threats becoming increasingly challenging
Businesses are currently undergoing seismic shifts, including rapid migrations to the cloud and widespread adoptions of remote work and BYOD (bring your own device) policies. Along with these trends, securing against insider threats has become increasingly challenging.
Most organizations cannot guarantee that they can detect insider threats stemming from personal devices (82%) or the cloud (50%), while 81% find it difficult to assess the impact of insider attacks.
Despite these concerns, few respondents have a single platform that delivers complete, unified visibility and control for any interaction.
When dealing with multiple disjointed tools that provide disparate levels of protection, security professionals spend an inordinate amount of time managing each of the solutions individually. As such, 49% of respondents stated that at least one week typically goes by before insider attacks are detected; additionally, 44% said that another week usually passes before the organization recovers from the attacks.
Security budgets are decreasing
While organizations were already working with constrained security budgets before the pandemic, security teams are now being asked to do even more with less. 73% of companies’ security budgets are decreasing or staying flat over the next year.
“Along with brand damage, remediation costs, legal liabilities, and loss of revenue, these are serious ramifications that must be prevented. Enterprises need a multi-faceted security platform that is designed to monitor user behavior, secure personal devices, deliver maximum uptime and cost savings, and prevent leakage on any interaction. Only then can they defend against insider threats.”
Microsoft has released (in public preview) several new enterprise security offerings to help companies meet the challenges of remote work.
Double Key Encryption for Microsoft 365
Secure information sharing is always a challenge, and Microsoft thinks it has the right solution for organizations in highly regulated industries (e.g., financial services, healthcare).
“Double Key Encryption (…) uses two keys to protect your data—one key in your control, and a second key is stored securely in Microsoft Azure. Viewing data protected with Double Key Encryption requires access to both keys. Since Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, ensuring that you have full control over its privacy and security,” the company explained.
“You can host the Double Key Encryption service used to request your key, in a location of your choice (on-premises key management server or in the cloud) and maintain it as you would any other application.”
This Microsoft enterprise security solution allows organizations to migrate sensitive data to the cloud or share it via a cloud platform without relying solely on the provider’s encryption. Also, it makes sure that the cloud provider or collaborating third parties can’t have access to the sensitive data.
Microsoft Endpoint Data Loss Prevention
“Data Loss Prevention solutions help prevent data leaks and provide context-based policy enforcement for data at rest, in use, and in motion on-premises and in the cloud,” Alym Rayani, Senior Director, Microsoft 365, noted.
“Built into Windows 10, Microsoft Edge, and the Office apps, Endpoint DLP provides data-centric protection for sensitive information without the need for an additional agent, enabling you to prevent risky or inappropriate sharing, transfer, or use of sensitive data in accordance with your organization’s policies.”
Organizations can use it to prevent copying sensitive content to USB drives, printing of sensitive documents, uploading a sensitive file to a cloud service, an unallowed app accessing a sensitive file, etc.
When users attempt to do a risky action, they are alerted to the dangers and provided with a helpful explanation and guidance.
Insider Risk Management and Communication Compliance
Insider Risk Management is not a new offering from Microsoft, but has been augmented by new features that deliver new, quality insights related to the obfuscation, exfiltration, or infiltration of sensitive information.
“For those using Microsoft Defender Advanced Threat Protection (MDATP), we can now provide insights into whether someone is trying to evade security controls by disabling multi-factor authentication or installing unwanted software, which may indicate potentially malicious behavior,” explained Talhar Mir, Principal PM at Microsoft.
“Finally, one of the key early indicators as to whether someone may choose to participate in malicious activities is disgruntlement. In this release, we are further enhancing our native HR connector to allow organizations to choose whether they want to use additional HR insights that might indicate disgruntlement to initiate a policy.”
Communication Compliance has also been introduced earlier this year, but now offers enhanced insights and improved actions to help foster a culture of inclusion and safety within the organization.
48% of employees are less likely to follow safe data practices when working from home, a report from Tessian reveals.
The global shift to remote working poses new security challenges for businesses and traditional security solutions are failing to curb the problem of the insider threat and accidental data loss.
Remote work compounds insider threats
While 91% of IT leaders trust their staff to follow best security practices when working remotely, 52% of employees believe they can get away with riskier behavior when working from home. 48% cite “not being watched by IT” as a reason for not following safe data practices, closely followed by “being distracted” (47%).
Additionally, staff report that security policies are a hindrance — 51% say such policies impede productivity and 54% will find workarounds if security policies stop them from doing their jobs.
Eighty-four percent of IT leaders also say data loss prevention is more challenging when employees are working from home and 58% of employees think information is less secure when working remotely.
Abandoning security when working remotely: Data loss is pervasive
30% of breaches involve internal actors exposing company information, as a result of negligent or malicious acts. Insider threats and data loss over email is particularly challenging for IT leaders to control, due to lack of visibility of the threat. Key findings reveal:
- U.S. employees are more than twice as likely as UK workers to send emails to the wrong person (72% vs. 31%).
- IT leaders in US organizations with over 1,000 employees estimate that 480 emails are sent to the wrong person every year. Yet, Tessian platform data reveals that employees send at least 800 misdirected emails per year —1.6x more than IT leaders estimate.
- U.S. employees are twice as likely to send company data to their personal email accounts than their UK counterparts (82% vs. 35%).
- IT leaders in US organizations with over 1,000 employees estimate that just 720 emails are sent to unauthorized accounts a year. The reality, per Tessian platform data, is at least 27,500 unauthorized emails are sent a year — 38x more than IT leaders estimate.
- One-third (34%) of employees take company documents with them when they leave a job, with U.S. workers twice as likely as UK workers to do so (45% vs. 23%).
IT leaders rely on security awareness training, policies and legacy technologies to prevent data loss, yet these practices may not be as effective as they think. The report finds that employees who receive security training every 1-3 months are almost twice as likely to send company data to personal accounts as those who receive training once a year (80% vs. 49%).
“Businesses have adapted quickly to the abrupt shift to remote working. The challenge they now face is protecting data from risky employee behaviors as working from home becomes the norm,” said Tim Sadler, CEO at Tessian.
“Human error is the biggest threat to companies’ data security, and IT teams lack true visibility of the threat. Business leaders need to address security cultures and adopt advanced solutions to prevent employees from making the costly mistakes that result in data breaches and non-compliance.
“It’s critical these solutions do not impede employees’ productivity though. We’ve shown that people will find workarounds if security gets in the way of them doing their jobs, so data loss prevention needs to be flexible if it’s going to be effective.”
Differences by age and company size
In addition to differences in safe security practices by region, there are also notable contrasts among age groups and startups vs. large enterprises. For example:
- 50% of workers from small companies (2-49 employees) agree they’re less likely to follow safe data practices when working from home, compared to only 30% from companies with 1,000 employees or more.
- Workers in the 18-30 age demographic are 3x more likely to send emails to the wrong person — 69% vs. 21% of workers who are 51 or older. And while 31-40 year olds are more careful on email, 57% admit to sending misdirected emails.
- 41% of workers aged 18-30 have taken company documents with them when they’ve left a job, compared to only 13% of workers aged 51 and older.
The McAfee report uncovers a correlation between the increased use of cloud services and collaboration tools, such as Cisco WebEx, Zoom, Microsoft Teams and Slack during the COVID-19 pandemic, along with an increase in cyber attacks targeting the cloud.
There are significant and potentially long-lasting trends that include an increase in the use of cloud services, access from unmanaged devices and the rise of cloud-native threats. These trends emphasize the need for new security delivery models in the distributed work-from-home environment of today–and likely the future.
In the time surveyed, overall enterprise adoption of cloud services spiked by 50 percent, including industries such as manufacturing and financial services that typically rely on legacy on-premises applications, networking and security more than others.
Use of cloud collaboration tools increased by up to 600 percent, with the education sector seeing the most growth as more students are required to adopt distance learning practices.
Surging external attacks on cloud accounts
Threat events from external actors increased by 630 percent over the same period. Most of these external attacks targeted collaboration services like Microsoft 365, and were large-scale attempts to access cloud accounts with stolen credentials.
Insider threats remained the same, indicating that working from home has not negatively influenced employee loyalty. Access to the cloud by unmanaged, personal devices doubled, adding another layer of risk for security professionals working to keep their data secure in the cloud.
“While we are seeing a tremendous amount of courage and global goodwill to overcome the pandemic, we also are unfortunately seeing an increase in bad actors looking to exploit the sudden uptick in cloud adoption created by an increase in working from home,” said Rajiv Gupta, Senior VP, Cloud Security, McAfee.
“The risk of threat actors targeting the cloud far outweighs the risk brought on by changes in employee behavior. Mitigating this risk requires cloud-native security solutions that can detect and prevent external attacks and data loss from the cloud and from the use of unmanaged devices.
“Cloud-native security has to be deployed and managed remotely and can’t add any friction to employees whose work from home is essential to the health of their organization.”
How to maintain strong security posture
With cloud-native threats increasing in step with cloud adoption, all industries need to evaluate their security posture to protect against account takeover and data exfiltration. Companies need to safeguard against threat actors attempting to exploit weaknesses in their cloud deployments.
Tips to maintain strong security posture include:
- Think cloud-first: A cloud-centric security mindset can support the increase in cloud use and combat cloud-native threats. Enterprises need to shift their focus to data in the cloud and to cloud-native security services so they can maintain full visibility and control with a remote, distributed workforce.
- Consider your network: Remote work reduces the ability for hub and spoke networking to work effectively with scale. Network controls should be cloud-delivered and should connect remote users directly to the cloud services they need.
- Consolidate and reduce complexity: Cloud-delivered network security and cloud-native data security should smoothly interoperate, ideally be consolidated to reduce complexity and total cost of ownership and increase security effectiveness and responsiveness.
A staggering 96% of IT leaders in the legal sector say insider breach risk is a significant concern, according to Egress.
77% think employees have put data at risk accidentally in the past 12 months and 78% think employees have put data at risk intentionally. When asked about the implications of these breaches, 36% say financial damage would be the area of greatest impact.
More than 500 IT leaders and 5,000 employees were surveyed across the UK, US and Benelux regions. Among these were 106 IT leaders and 1,001 employees in legal sector companies.
Responses from legal sector employees shows they are twice as likely as those from other sectors to admit both intentionally and accidentally breaking company policy when sharing data. 57% said they had intentionally broken company policy compared with 29% average across all sectors, and 56% said they had done so accidentally, compared with 27% on average.
IT leaders from the legal sector are more pessimistic than average about the risk of future breaches. 44% say it is likely employees will put data at risk in the coming year – eight percentage points above average.
Concerning reliance on traditional technologies to prevent insider breaches
The research uncovered a concerning reliance on traditional technologies to prevent insider breaches. Just over half of legal sector IT leaders said they are using anti-virus software to combat phishing attacks and only 43% are using email encryption.
There is also a worrying reliance on self-reporting of incidents, with 61% of IT leaders saying that the most likely way of detecting an insider data breach is via employees notifying them.
Egress CEO Tony Pepper believes the findings show how IT leaders are resigned to the inevitability of insider breaches and don’t have adequate risk management processes and technology in place. “Given the sensitivity of the information they handle, the legal industry is one of the most at-risk sectors from both accidental and intentional insider data breaches.
“While they acknowledge the sustained risk, bizarrely IT leaders have not adopted new strategies or technologies to mitigate the threat. They are also relying far too heavily on their staff to self-report incidents, something our analysis suggests is totally ineffective.
“In essence, they are adopting a risk posture in which at least 44% of employees putting data at risk is deemed acceptable.
“The severe penalties for data breaches mean IT leaders must action better risk management strategies, using advanced tools to prevent insider incidents. They also need better visibility of risk vectors; relying on employees to report incidents is not an acceptable data protection strategy.”
Misdirected and phishing emails the top cause of accidental insider data breaches
55% of legal sector employees who had accidentally leaked data said they had done so because of a phishing email. 31% said they caused a breach by sending information to the wrong person, for example by email. This is underlined by the fact that 61% said they had received an outlook recall message or a message asking them to disregard a previous email sent in error. All these figures exceed research averages.
Tony Pepper adds; “Incidents of people accidentally sending data to incorrect recipients have existed for as long as they’ve had access to email. As a fundamental communication tool, organizations have weighed the advantages of efficiency against data security considerations, and frequently compromise on the latter.
“However, we are in an unprecedented time of technological development, where tools built using contextual machine learning can combat common issues, such as misdirected emails, the wrong attachments being added to communications, auto-complete mistakes, and employees not using encryption tools correctly. Organizations need to tune into these advances to truly be able to make email safe.”
Erroneous employee views on data ownership in the legal sector
The survey also showed that employee misconceptions over data ownership have a negative impact on information security. Of the 57% who said they or a colleague had intentionally shared data against company policy in the past year, 58% said they did so when they took data with them to a new job, while 21% said they had taken a risk when sharing data because they weren’t provided with the right security tools.
This reckless approach to data protection may be explained by employees’ views on data ownership and responsibility. 56% of the legal industry employees surveyed don’t believe that data belongs exclusively to the organization and only 11% recognize that everyone has responsibility for keeping data safe.
“Employees want to own the data they create and work on, but don’t want the responsibility for keeping it safe. This is a toxic combination for data protection efforts,” said Tony Pepper.
“When you add their propensity to take data with them when they change jobs and willingness to take risks when sharing data, the scale of the challenge faced by security professionals is alarming.”
Given recent events, there will be an unprecedented number of legal employees working from home who might be looking for ways to send large multimedia files or are suddenly having to share more data via email. Proactively identifying and remediating risks to these changes in working behavior will help ensure tighter security and compliance.
Almost 65% of the nearly 300 international cybersecurity professionals canvased by Gurucul at RSA Conference 2020 said they access documents that have nothing to do with their jobs.
Meanwhile, nearly 40% of respondents who experienced bad performance reviews also admitted to abusing their privileged access, which is double the overall rate (19%).
“We knew insider privilege abuse was rampant in most enterprises, but these survey results demonstrate that the infosecurity department is not immune to this practice,” said Saryu Nayyar, CEO of Gurucul. “Detecting impermissible access to resources by authorized users, whether it is malicious or not, is virtually impossible with traditional monitoring tools. That’s why many organizations are turning to security and risk analytics that look at both employee and entity behaviors to identify anomalies indicative of insider threats.”
- In finance, 58% said they have emailed company documents to their personal accounts.
- In healthcare, 33% have abused their privileged access.
- In manufacturing, 78% accessed documents unrelated to their jobs.
- In retail, 86% have clicked on a link in an email from someone they didn’t know.
- In midsize companies, 62% did not alert IT when their job role had changed.
This showcases the problems organizations have with employees behaving outside of the bounds of practical and published security policies. The human element is often the deciding factor in how data breaches occur. Monitoring and deterring risky employee behavior with machine learning based security analytics is the most effective measure in keeping mayhem to a minimum.
People may not realize their behavior in opening the door to cybercriminals, which is why security analytics technology is so critical to maintaining a secure corporate environment.
Cloud-based collaboration technologies and workforce turnover have become major drivers of data exfiltration as insider threat programs fail to keep pace with today’s digital workplace, a Code42 survey reveals.
Nearly 5,000 knowledge workers at companies with more than 1,000 employees in the U.S., U.K. and Germany were surveyed.
“When it comes to data loss, leak and theft, for too many companies, the inside is their blindside,” said Joe Payne, Code42’s president and CEO. “Insider threat programs are not keeping up with today’s collaborative work culture. People and data are on the move now more than ever. Workers are switching jobs, and company files are being uploaded to the web, emailed as attachments and synched to personal cloud accounts.”
Workers opt for unsanctioned collaboration tools to share company files
Cloud-based collaboration tools have changed the workplace. As part of their regular work routines, employees are emailing, airdropping, messaging and slacking from desktops, mobile devices, on the road and in coffee shops.
According to the report, workers routinely use both authorized and unauthorized cloud-based platforms to share files and ideas with colleagues. They sidestep sanctioned tools because they believe they are too complicated, restrictive and slow—or don’t have enough features.
The study found:
- The leading corporate standards for file sharing and collaboration include email (34%), Microsoft Sharepoint (26%), Microsoft OneDrive (23%) and Google Drive (19%)
- WhatsApp (34%), Google Drive (30%), Facebook (29%) and personal email (26%) are the most commonly-used unauthorized platforms for sharing files with colleagues
- Thirty-seven percent (37%) of workers use unauthorized apps daily while 26% use them weekly to share files with colleagues
Collaboration tools rated among top vectors for data exfiltration
While technology has made it easy for employees to share files legitimately via personal email and the cloud, it’s also made it easier for them to exfiltrate — or even infiltrate — data like product ideas, source code and customer lists.
The risk of insider threat incidents is heightened because the very tools that workers use to collaborate are some of the most popular vectors for data exfiltration.
The study found:
- More than one-third (36%) of workers believe that the increased emphasis on file sharing has made them more complacent about data security
- Workers move data from one organization to another using email (38%), print hard copies (37%), external devices (35%), cloud collaboration platforms (31%) and browser uploads (26%)
- Nearly three-fourths (73%) of employees report they have access to data they didn’t create; 69% can view data they didn’t contribute to; and 59% can see data from other departments
Insider threat programs earn a failing mark as workers change jobs
The simple act of changing jobs can tempt employees to take company data — and workers are changing jobs more frequently than ever. Security teams continue to grapple with how to effectively deal with data theft and misuse — whether accidental or intentional — when employees depart.
As workers move from company to company, they admit that they have not only taken data with them, they have done it more than once. The consequences of this behavior are even more damaging to a business when workers take data from a former employer and go to work for a competitor.
According to the research, both former and new employers do little to stop data theft by transitioning employees.
Key findings said:
- 51% of the workers surveyed believe that the risk to corporate data when employees depart is bigger than organizations think
- Two-thirds (63%) of respondents who said they have taken data are repeat offenders
- Nearly nine out of ten (87%) of employees report that no one ever approached them from their former employer to verify that they hadn’t taken data
- Three-fourths (75%) of respondents say that their new employer did not ask them if they had brought data from their previous employer
- One-third (32%) of respondents who had infiltrated data were encouraged by their new employers to share it with new colleagues
“Without the ability to detect and investigate file movement both inside and outside company walls, insider threat programs are leaving data more vulnerable and security teams flying blind,” said Jadee Hanson, CISO and VP of information systems for Code42.
“There’s a gap in the protection stack. Security teams need to reassess their solutions. This starts with an insider threat program that provides complete data visibility — from who has data access, to where data lives and moves.”
IoT is barreling toward the enterprise, but organizations remain highly vulnerable to IoT-based attacks, according to Extreme Networks.
The report, which surveyed 540 IT professionals across industries in North America, Europe, and Asia Pacific, found that 84% of organizations have IoT devices on their corporate networks. Of those organizations, 70% are aware of successful or attempted hacks, yet more than half do not use security measures beyond default passwords.
The results underscore the vulnerabilities that emerge from a fast-expanding attack surface and enterprises’ uncertainty in how to best defend themselves against breaches.
Organizations lack confidence in their network security
9 out of 10 IT professionals are not confident that their network is secured against attacks or breaches. Financial services IT professionals are the most concerned about security, with 89% saying they are not confident their networks are secured against breaches.
This is followed by the healthcare industry (88% not confident), then professional services (86% not confident). Education and government are the least concerned of any sector about their network being a target for attack.
Enterprises underestimate insider threats
55% of IT professionals believe the main risk of breaches comes mostly from outside the organization and over 70% believe they have complete visibility into the devices on the network.
But according to Verizon’s 2019 Data Breach Investigations Report, insider and privilege misuse was the top security incident pattern of 2019, and among the top three causes of breaches.
Europe’s IoT adoption catches up to North America
83% of organizations in EMEA are now deploying IoT, compared to 85% in North America, which was an early adopter. Greater IoT adoption across geographies is quickly expanding the attack surface.
Skills shortage and implementation complexity cause NAC deployments to fail
NAC is critical to protect networks from vulnerable IoT devices, yet a third of all NAC deployment projects fail.
The top reasons for unsuccessful NAC implementations are a lack of qualified IT personnel (37%), too much maintenance cost/effort (29%), and implementation complexity (19%).
SaaS-based networking adoption grows
72% of IT professionals want network access to be controlled from the cloud. This validates 650 Group’s prediction that more than half of enterprise network systems will transition to SaaS-based networking by the end of 2023.
“Enterprise adoption of IoT, coupled with the fast rise of cloud and edge computing, is massively expanding the attack surface. But the single greatest cybersecurity threat today is inertia,” said David Coleman, Director of Product Marketing, Extreme Networks.
“This data shows that across sectors, IT professionals are not confident in their own network security. Yet so many organizations still rely on the same legacy security tools they’ve been using for decades. It’s critical for enterprises to demand multi-layered network security solutions purpose-built for the modern, hybrid enterprise.”
A staggering 97% of IT leaders say insider breach risk is a significant concern, according to a survey by Egress.
78% think employees have put data at risk accidentally in the past 12 months and 75% think employees have put data at risk intentionally. When asked about the implications of these breaches, 41% say financial damage would be the area of greatest impact.
More than 500 IT leaders and 5000 employees were surveyed across the UK, US and Benelux regions.
The results uncovered serious discrepancies between IT leaders’ perceptions of insider breach risk and causes, and how they are in managing them. It also exposed that employees are still confused about data ownership and responsibility.
Asked what traditional security tools they have in place to mitigate insider breach risk, just half of IT leaders said they are using anti-virus software to combat phishing attacks, 48% are using email encryption and 47% provide secure collaboration tools.
More than half (58%) say employee reporting is more likely than any breach detection system to alert them to an insider data breach.
Egress CEO, Tony Pepper, believes the findings show how IT leaders are resigned to the inevitability of insider breaches and don’t have adequate risk management in place.
“While they acknowledge the sustained risk of insider data breaches, bizarrely IT leaders have not adopted new strategies or technologies to mitigate the risk. Effectively, they are adopting a risk posture in which at least one-third of employees putting data at risk is deemed acceptable.
“The severe penalties for data breaches mean IT leaders must action better risk management strategies, using advanced tools to prevent insider data breaches. They also need better visibility of risk vectors; relying on employees to report incidents is not an acceptable data protection strategy.”
Misdirected and phishing emails top cause of accidental insider data breaches
41% of employees who had accidentally leaked data said they had done so because of a phishing email. 31% said they caused a breach by sending information to the wrong person, for example, by email.
This is underlined by the fact that 45% said they had received an outlook recall message or an email asking them to disregard an email sent in error over the last year.
Tony Pepper adds; “Incidents of people accidentally sharing data with incorrect recipients have existed for as long as they’ve had access to email. As a fundamental communication tool, organizations and security teams have weighed the advantages of efficiency against data security considerations, and frequently compromise on the latter.
“However, we are in an unprecedented time of technological development, where tools built using contextual machine learning can combat common issues, such as misdirected emails, the wrong attachments being added to communications, auto-complete mistakes, and employees not using encryption tools correctly. Organizations need to tune into these advances to truly be able to make email safe.”
Erroneous employee views on data ownership
The survey also showed that employee misconceptions over data ownership have a negative impact on information security. The employee-facing research found 29% of respondents said they or a colleague had intentionally shared data against company policy in the past year.
A worrying 46% said they or a colleague had broken company policy when they took data with them to a new job, while more than a quarter (26%) said they had taken a risk when sharing data because they weren’t provided with the right security tools.
This reckless approach to data protection may be explained by employees’ views on data ownership and responsibility. 41% of the employees surveyed don’t believe that data belongs exclusively to the organization and only 37% recognise that everyone has responsibility for keeping data safe.
Tony Pepper comments: “Employees want to own the data they create and work on, but don’t want the responsibility for keeping it safe. This is a toxic combination for data protection efforts. When you add their propensity to take data with them when they change jobs and willingness to take risks when sharing data, the scale of the challenge faced by security professionals is alarming.”
Directors disrespecting data
The survey also highlighted that the more senior the employee, the more cavalier their attitude towards data breaches. 78% of directors have intentionally shared data against company policy in the past year, compared with just 10% of clerical staff.
Directors are the most likely to take data with them to a new job – 68% of those who had intentionally broken policy had done so when they changed jobs, compared with the overall average of 46%.
2019 was a bad year for data security. By virtually every metric, it was the worst ever. According to the Ponemon Institute’s 2019 Cost of a Data Breach Report, the average cost of a data breach reached $3.92 million, the highest amount on record. At the same time, the number of data breaches will reach an all-time high this year. The number of data breaches increased by 54% in the first half of 2019, with nearly 4,000 publicly disclosed breaches during that time. In total, more than 4.1 billion records have been exposed this year.
Increasingly, consumers and regulatory bodies are holding companies accountable for data breaches. An October 2019 survey found that 81% of consumers would stop engaging with a brand online after a data breach, which means the brand erosion and reputational damage that accompanies a breach is likely to add to the costs of a data security incident. Moreover, regulatory oversight like GDPR and CCPA are indicative of a growing regulatory trend that collectively raises the importance of data security in the year ahead.
For those charged with protecting company data, today’s expansive threat landscape can feel overwhelming, leading to increased levels of exhaustion and burnout. However, not all threats are equally prescient, as some are more likely and ominous than others.
Here are five cyber risks that will endanger company data at risk in 2020.
While cybersecurity often elicits images of ominous criminals operating in backrooms, one of the most significant data security threats is likely lurking in the cubicle next door. Employees represent a significant threat to data integrity. Verizon’s 2019 Insider Threat Report estimates that insider threats cause more than a third of all data breaches.
To be sure, this threat category is uniquely nuanced, as things like intentional data theft, accidental sharing, and other data disclosure methodologies combine to create a robust threat that companies will need to address in 2020.
With a broad collection of employee monitoring and endpoint data loss prevention software available, every company can be equipped to defend against insider threats. As the consequences of a data breach continue to escalate, securing data against this known variable is a critical step to ensuring data integrity in the year ahead.
Despite their best efforts, phishing scams are inevitably making their way into employees’ inboxes, putting company data at risk each time. Unfortunately, the deluge of data available from previous data breaches is being repurposed to craft authentic-looking messages that are increasingly difficult to detect.
In the year ahead, increased personalization and other deceptive tactics, like HTTPS encryption, will become normative, increasing the impetus for companies to provide awareness training to keep them aware of the threats landing in their inboxes.
Cloud computing is among the latest trends for enterprises and SMBs alike. As the vast majority of businesses move their operations to the cloud, this transition presents an opportunity for data exposure. This technological oversight can have severe consequences for data security.
For instance, in November, a cybersecurity researcher discovered 1.2 billion records exposed on a single server, a surprisingly routine incident that underscores the threat of exposed databases to data security.
In 2020, companies need to understand that technological advancement can’t come at the expense of data security, and locking down these resources is often as simple as checking and rechecking that critical company data is password protected and not openly exposed to anyone able to locate it.
Fatigued IT admins
Cybersecurity professionals are faced with an incredible task. While they are defending against thousands of attacks every day, cybercriminals and internal bad actors only need to be successful once to inflict serious damage on a company. As a result, cybersecurity professionals are burning out and leaving the profession at a record rate. It’s estimated that 65% of IT professionals consider quitting their jobs, and a similar number are open to leaving the professional altogether.
This problem is endemic all the way to the highest levels of a company where chief information security officers have an average tenure of 18 to 24 months, which is, on average, more than four years less than other c-suite positions.
This high-stress, high-turnover environment puts data at risk, as a lack of continuity and unfilled positions create an environment where hackers can thrive. To assuage these concerns, companies need to prioritize automation as much as possible. In this way, they can protect their networks against insider and external threats without inundating cybersecurity staff with a continual deluge of risks to assess.
Despite the overwhelming evidence that data loss is one of the greatest threats facing companies in the digital age, there is growing evidence that c-suite executives are failing to appreciate the risks. In a survey of Australian CEOs, only 6% recognized that they had experienced a data breach, while 63% of CISOs noted a data loss event.
Similarly, only 26% of CISOs indicated that their company was ready to respond to a cyber threat, while 44% of CEOs thought their company was capable of a rapid recovery. Taken together, these numbers are indicative of one of the most notable threats to data security: indifference.
Simply put, companies and their leaders must acknowledge and appreciate the growing consequences of a data breach.
2019 has undoubtedly been a bad year for data security, and, unfortunately, there is no indication that 2020 will be any better. However, for companies that identify and respond to the most probable data security threats, it can be a differentiating factor, allowing them to thrive in 2020 and beyond.
With the proliferation of mobile devices and BYOD, ubiquitous and always available internet connectivity and the widespread use of private, public and hybrid cloud solutions, eventually all organizations will be forced to come to terms with these realities: There is no such thing as a traditional security perimeter anymore There is virtually no difference between internal and external threats. Binding activity to the user’s identity and endpoint is essential Whether they are malicious actors focused … More
The post Preventing insider threats, data loss and damage through zero trust appeared first on Help Net Security.